Update( May 28 2015)
The porting work of the PaX patch already done. We tested it with Towel & KINGROOT. The result as expected: they all failed to root the Android 5.0.2 with kernel code base from 2014. Perhaps, we might try to make GRSEC & RBAC into the Android in the future………
armv7-nexus7-grsec
PaX/Grsecurity patch for Nexus7, which the original version is 3.4 kernel based with a bunch of backport features and fixes. In some particular cases, TrustZone is useless if the Android kernel were compromised. I don't think we need another rootkit-friendly solution like SELinux always does. Get rid of one entire class of vulns in kernel would be an inevitable ways to make your device secure.
Credit for PaX/Grsecurity
PaX/Grsecurity is the most respected 0ld sch00l community and they have been creating the best defense-in-depth kernel hardening solution for 14 years. What PaX/Grsecurity brings to us, is amazing and incridble work. Unfortunately, there are a lot of reasons that PaX/Grsecurity don't get the credit what they deserves. Let me make this short: To love those who are hatred by BIG BROTHER. That's the fuc*ing point.
What makes us ticks
The age of IoT( Internet of things) is coming soon…There will be huge numbers of devices running with diverse communication protocols. For the simply classify, I'll only treat these devices as two types: One with TCP/IP stack, or not. The one with TCP/IP stack might have high probablity run with GNU/Linux. The one without TCP/IP stack may be just a simple MCU stuff. The heterougenous network need to be protected in various ways. These devices may be running on our cars, refrigrator, or everywhere around us, which could be a risk to our money-shitty property and even lives. That’s one of most important reasons we need to "H A R D E N E N I N G E V E R Y T H I N G" by free software.
PaX/Grsecurity
NAME | DESCRIPTION | AUTHORS |
---|---|---|
PAGEEXEC | paging based non-executable pages | The PaX team, Mar 15 2003 |
SEGMEXEC | segmentation based non-executable pages | The PaX team, May 1 2003 |
ASLR | address space layout randomization | The PaX team, Mar 15 2003 |
MPROTECT | mmap() and mprotect() restrictions | The PaX team, Nov 4 2003 |
RANDUSTACK | userland stack randomization | The PaX team, Feb 12 2003 |
RANDKSTACK | kernel stack randomization | The PaX team, Jan 24 2003 |
RANDMMAP | mmap() randomization | The PaX team, Jan 24 2003 |
RANDEXEC | non-relocatable executable file randomization | The PaX team, Feb 19 2003 |
VMMIRROR | vma mirroring, the core of SEGMEXEC and RANDEXEC | The PaX team, Oct 6 2003 |
EMUTRAMP | gcc nested function and kernel sigreturn trampolines emulation | The PaX team, May 1 2003 |
EMUSIGRT | automatic kernel sigreturn trampoline emulation | The PaX team, Feb 19 2003 |
UDEREF | Prevent improper userland code/date access by the kernel | The PaX team, May 15 2007 |
PaX/Grsecurity writings
intro | Dec 30 2010
Assorted Notes on Defense and Exploitation | Dec 31 2010
False Boundaries and Arbitrary Code Execution | Jan 2 2011
The Dangers of Copy and Paste | Feb 1 2011
The Unseen Benefits of a Security Mindset | Mar 12 2011
Much Ado About Nothing: A Response in Text and Code | Apr 16 2011
Recent Advances: How We Learn From Exploits | Feb 15 2012
Supervisor Mode Access Prevention | Sep 7 2012
Inside the Size Overflow Plugin | Aug 28 2012
Recent ARM Security Improvements | Feb 18 2013
KASLR: An Exercise in Cargo Cult Security | Mar 20 2013
Guest Blog by Rodrigo Branco: PAX_REFCOUNT Documentation | Mar 21 2015
GCC plugins
Better kernels with GCC plugins
History
2005
grsecurity 2.1.0 and kernel vulnerabilities
the “Turing Attack” (was: Sabotaged PaXtest)
2009
2010
Brad Spengler (PaX Team/grsecurity) interview
2011
proactive defense: using read-only memory
2012
Why are the grsecurity patches not included in the Vanilla Kernel?
2013
How The Linux Foundation and Fedora are Addressing Workstation Security
2014
Some Links for Newbies on Grsecurity, and the Big Picture
How GNU/Linux distros deal with offset2lib attack?